Ava-511: Aware iOS app persists data across user sessions

Release Date

06 Sept 2021.

Overview

The iOS app persists data related to cameras, alarms etc. on the mobile device even after the user logs out. So if the device is shared amongst multiple users, some users might be able to access data they do not have permissions for.

Affected Products

• Ava Aware:
  • All iOS app versions before 2.6.0.
  • All iOS app Beta versions before 2.6.0.

Unaffected Products

• Ava Aware: all versions of the web client and Android app.
• Ava cameras: all versions.
• Ava Cloud: all versions.

Resolution

This issue has been fixed in Ava Aware iOS Beta version 2.6.0 and Stable version 2.6.0. It is strongly recommended that all users using an affected version of the app upgrade to the latest release as soon as possible. Releases are available to download through the iOS App Store.

Vulnerability Information

• CVE: pending
• CVSSv3 score: 5.0 (Medium)
• CVSSv3 vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 03/08/2021 Issue found internally by Ava Security
• 04/08/2021 Root cause established
• 04/08/2021 Fix identified
• 19/08/2021 Patched Ava Aware iOS app (Beta) released
• 02/09/2021 Patched Ava Aware iOS app (Stable) released
• 06/09/2021 Vulnerability publicly disclosed